CVE-2012-3426 – keystone

Package

Manager: pip
Name: keystone
Vulnerable Version: >=0 <8.0.0a0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00208 pctl0.43296

Details

OpenStack Keystone token expiration issues OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.

Metadata

Created: 2022-05-17T05:23:24Z
Modified: 2024-11-22T17:53:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xp97-6w7r-4cjc/GHSA-xp97-6w7r-4cjc.json
CWE IDs: []
Alternative ID: GHSA-xp97-6w7r-4cjc
Finding: F039
Auto approve: 1